SlideShare uma empresa Scribd logo

Cloud Security Risks and Compliance Perspective

T
tmather

Presentation based on the book "Cloud Security and Privacy" by Tim Mather, Subra Kumaraswamy, and Shahed Latif.

1 de 25
Baixar para ler offline
Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Tim Mather Subra Kumaraswamy, Sun Shahed Latif, KPMG
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What We Do Not Discuss • Existing aspects of information security which are not impacted by ‘cloud computing’ • Consumer aspects of cloud computing 2
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What We Do Discuss • Infrastructure Security • Network-level • Host-level • Application-level • Data Security • Identity and Access Management (IAM) • Privacy Considerations • Audit & Compliance Considerations • Security-as-a- [Cloud] Service (SaaS) • Impact on the Role of Corporate IT Where Risk Has Changed: ± 3
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Components of Information Security Security Management Services Management – ACL, hygiene, patching, VA, incident response Identity services – AAA, federation, provisioning Information Security – Data Encryption (transit, rest, processing), lineage, provenance, remanence Information Security – Infrastructure Application-level Host-level Network-level 4
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Computing: Evolution 5
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Pyramid of Flexibility 6
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Infrastructure Security – currently • Trust boundaries have moved • Specifically, customers are unsure where those trust boundaries have moved to • Established model of network tiers or zones no longer exists • Domain model does not fully replicate previous model • No viable, scalable model for host-to-host trust • Data labeling / tagging required at application- level • Data separation is logical not physical 7
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Infrastructure Security – going forward • Need for greater transparency regarding which party (CSP or customer) provides which security capability • Inter-relationships between systems, services, and people needs to be addressed by identity management 8
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Data Security – currently • Provider’s data collection efforts and monitoring of such (e.g., IPS, NBA) • Use of encryption • Point-to-multipoint data-in-transit an issue • Data-at-rest possibly not encrypted • Data being processed definitely not encrypted • Key management is a significant issue • Advocated alternative methods (e.g., obfuscation, redaction, truncation) are nonsense • Data lineage • Data provenance • Data remanence 9
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Data Security – going forward Large-scale multi-entity key management • Must scale past multi-enterprise to inter-cloud • Not just hundreds of thousands of systems or even millions of virtual machine images, but billions of files or objects • Must not only handle key management lifecycle (per NIST SP 800-57, Recommendation for Key Management), but also • Key recovery • Key archiving • Key hierarchies / chaining for legal entities • Fully homomorphic encryption • Potentially huge boon to cloud computing • Will increase need for better key management 10
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif IAM – currently • Generally speaking, poor situation today: • Federated identity widely not available • Strong authentication available only through delegation • Provisioning of user access is proprietary to provider • User profiles are limited to “administrator” and “user” • Privilege management is coarse, not granular 11
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif IAM – going forward • Emerging identity-as-a-service (IDaaS) needs to evolve beyond authentication • SAML, SPML and XACML (especially) need to be more fully leveraged • Increasing need for user-to-service and service-to-service authentication and authorization (OAuth) 12
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Privacy – currently • Transborder data issues may be exacerbated • Specifically, where are cloud computing activities occurring? • Data governance is weak • Encryption is not pervasive • Data remanence receives inadequate attention • Cusps absolve themselves of privacy concerns: ‘We don’t look at your data’ 13
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Privacy – going forward • Privacy laws are inconsistent across jurisdictions; need global standard • Need specific requirements for auditing (e.g., AICPA/CICA Generally Accepted Privacy Principles – GAPP) 14
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Audit & Compliance – currently • Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II) • CSP users need to define: • their control requirements • understand their CSP’s internal control monitor- ing processes • analyze relevant external audit reports • Issue is assurance of compliance 15
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Audit & Compliance – going forward • Inter-cloud (i.e., cross-CSP) solutions will demand unified compliance framework • Volume, multi-tenancy of cloud computing, demand that CSP compliance programs be more real-time and have greater coverage than most traditional compliance programs 16
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Security-as-a-Service – currently • Some offerings mature • E-mail filtering, archiving • Web content filtering • Some offerings still emerging • (E-mail) eDiscovery • Identity-as-a-Service (IDaaS) • Encryption, key management • Today’s security-as-a-service providers sell to CSP customers, not CSPs • None of today’s CSPs offer security-as-a- service as integrated offering 17
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Security-as-a-Service – going forward • Horizontal integration • Pure play SaaS providers will broaden offerings beyond e-mail + Web content filtering • Vertical integration • CSPs will offer SaaS as integrated offering • IDaaS has to scale effectively for cloud computing to truly take off • Complexity of key management screams for SaaS offering 18
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Impact on Role of Corporate IT – currently • Governance issue as internal IT becomes “consultants” and business analysts to business units • Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs • Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously 19
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Impact on Role of Corporate IT – going forward • Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT • Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions • Functions performed by corporate IT departments will shift from those who do (i.e., practitioners who build or operate) to those who define and manage • IT itself will become more of a commodity as practices and skills are standardized and automated 20
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Conclusions • Part of customers’ infrastructure security moves beyond their control • Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than customers’ expectations • Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non- sensitive (unregulated and unclassified) data 21
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Conclusions (continued) • IAM is less than adequate for enterprises – weak authentication unless delegated back to customers or federated, weak authoriza- tion, proprietary provisioning • Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint • No established standards for obfuscation, redaction, or truncation 22
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What’s Good about the Cloud? • A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data • Cost • Flexibility • Scalability • Speed 23
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Developments to Watch • VMware’s vCloud API − submitted to DMTF • Amazon’s Virtual Private Cloud − hybrid cloud that extends private cloud through “cloud bursting” • Security-as-a-Service offered by CSPs (e.g., Amazon’s Multi-Factor Authentication) • Cloud Security Alliance v2 white paper • Slow transparency and assurance from CSP (e.g., ISO 27002-based assurance) • IT governance framework that blends ITIL, ISO 27002, CObIT 24
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Continue the discussion on-line at: cloudsecurityandprivacy.com 25

Recomendados

security Issues of cloud computing
security Issues of cloud computingsecurity Issues of cloud computing
security Issues of cloud computingprachupanchal
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security pptVenkatesh Chary
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecurityLegal Services National Technology Assistance Project (LSNTAP)
 
Cloud security
Cloud securityCloud security
Cloud securityTushar Kayande
 

Recomendados

security Issues of cloud computing
security Issues of cloud computingsecurity Issues of cloud computing
security Issues of cloud computingprachupanchal
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security pptVenkatesh Chary
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecurityLegal Services National Technology Assistance Project (LSNTAP)
 
Cloud security
Cloud securityCloud security
Cloud securityTushar Kayande
 
Cloud security
Cloud securityCloud security
Cloud securityNiharika Varshney
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
CS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question BankCS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question Bankpkaviya
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computingJithin Parakka
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Ravindra Dastikop
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
Cloud Resource Management
Cloud Resource ManagementCloud Resource Management
Cloud Resource ManagementNASIRSAYYED4
 
Application of Cloud Computing
Application of Cloud ComputingApplication of Cloud Computing
Application of Cloud ComputingBoonlert Aroonpiboon
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security ChallengesYateesh Yadav
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage VirtualizationMehul Jariwala
 
Cloud security
Cloud security Cloud security
Cloud security Mohamed Shalash
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Migration into a Cloud
Migration into a CloudMigration into a Cloud
Migration into a CloudDivya S
 
Cloud Computing- components, working, pros and cons
Cloud Computing- components, working, pros and consCloud Computing- components, working, pros and cons
Cloud Computing- components, working, pros and consAmritpal Singh Bedi
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingSoftware Park Thailand
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloudConstantine Karbaliotis
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingJohn D. Johnson
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...PRISMACLOUD Project
 

Mais conteúdo relacionado

Mais procurados

Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
CS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question BankCS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question Bankpkaviya
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computingJithin Parakka
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Ravindra Dastikop
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
Cloud Resource Management
Cloud Resource ManagementCloud Resource Management
Cloud Resource ManagementNASIRSAYYED4
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security ChallengesYateesh Yadav
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage VirtualizationMehul Jariwala
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Migration into a Cloud
Migration into a CloudMigration into a Cloud
Migration into a CloudDivya S
 
Cloud Computing- components, working, pros and cons
Cloud Computing- components, working, pros and consCloud Computing- components, working, pros and cons
Cloud Computing- components, working, pros and consAmritpal Singh Bedi
 

Mais procurados (20)

Cloud security
Cloud securityCloud security
Cloud security
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
CS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question BankCS8791 Cloud Computing - Question Bank
CS8791 Cloud Computing - Question Bank
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computing
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
 
Cloud Resource Management
Cloud Resource ManagementCloud Resource Management
Cloud Resource Management
 
Application of Cloud Computing
Application of Cloud ComputingApplication of Cloud Computing
Application of Cloud Computing
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security Challenges
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage Virtualization
 
Cloud security
Cloud security Cloud security
Cloud security
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Migration into a Cloud
Migration into a CloudMigration into a Cloud
Migration into a Cloud
 
Cloud Computing- components, working, pros and cons
Cloud Computing- components, working, pros and consCloud Computing- components, working, pros and cons
Cloud Computing- components, working, pros and cons
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud Computing
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 

Destaque

Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingJohn D. Johnson
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...PRISMACLOUD Project
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computingsaurabh soni
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud ComputingLecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computingragibhasan
 
Cloud Computing : Top to Bottom
Cloud Computing : Top to BottomCloud Computing : Top to Bottom
Cloud Computing : Top to BottomIstiyak Siddiquee
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewragibhasan
 
The Security and Privacy Threats to Cloud Computing
The Security and Privacy Threats to Cloud ComputingThe Security and Privacy Threats to Cloud Computing
The Security and Privacy Threats to Cloud ComputingAnkit Singh
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- orgDharmalingam S
 
Fonality HUD Mobile FAQ
Fonality HUD Mobile FAQFonality HUD Mobile FAQ
Fonality HUD Mobile FAQFonality
 
Children food safety
Children food safetyChildren food safety
Children food safetyphebe14
 
100 Greatest Military Photos
100 Greatest Military Photos100 Greatest Military Photos
100 Greatest Military PhotosMichele_Rempe
 

Destaque (16)

Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computing
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud ComputingLecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computing
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
Customer Classification
Customer Classification Customer Classification
Customer Classification
 
cloud computing ppt
cloud computing pptcloud computing ppt
cloud computing ppt
 
Cloud Computing : Top to Bottom
Cloud Computing : Top to BottomCloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level view
 
The Security and Privacy Threats to Cloud Computing
The Security and Privacy Threats to Cloud ComputingThe Security and Privacy Threats to Cloud Computing
The Security and Privacy Threats to Cloud Computing
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
 
Fonality HUD Mobile FAQ
Fonality HUD Mobile FAQFonality HUD Mobile FAQ
Fonality HUD Mobile FAQ
 
Children food safety
Children food safetyChildren food safety
Children food safety
 
How fleet insurance works
How fleet insurance worksHow fleet insurance works
How fleet insurance works
 
100 Greatest Military Photos
100 Greatest Military Photos100 Greatest Military Photos
100 Greatest Military Photos
 
FAR Overhead Audits - The Good, the Bad, and the Ugly
FAR Overhead Audits - The Good, the Bad, and the UglyFAR Overhead Audits - The Good, the Bad, and the Ugly
FAR Overhead Audits - The Good, the Bad, and the Ugly
 

Semelhante a Cloud Security Risks and Compliance Perspective

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Vasanth Ganesan
 
Selecting csp iapp_summit_2012 - 5-february
Selecting csp iapp_summit_2012 - 5-februarySelecting csp iapp_summit_2012 - 5-february
Selecting csp iapp_summit_2012 - 5-februaryscm24
 
Pinning Down Cloud Computing
Pinning Down Cloud ComputingPinning Down Cloud Computing
Pinning Down Cloud ComputingYankee Group
 
Clouds in emerging markets
Clouds in emerging marketsClouds in emerging markets
Clouds in emerging marketsACMBangalore
 
Cloud Computing & Cybersecurity in Industry 4.0
Cloud Computing & Cybersecurity in Industry 4.0Cloud Computing & Cybersecurity in Industry 4.0
Cloud Computing & Cybersecurity in Industry 4.0PT Datacomm Diangraha
 
Webinar: The Importance of a Next-Generation Network
Webinar: The Importance of a Next-Generation NetworkWebinar: The Importance of a Next-Generation Network
Webinar: The Importance of a Next-Generation NetworkKSM Consulting
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computingHossam Zein
 
Cloud computing arma_nnj
Cloud computing arma_nnjCloud computing arma_nnj
Cloud computing arma_nnjscm24
 
Cw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamerCw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamerinevitablecloud
 
Cloud Computing Introduction
Cloud Computing IntroductionCloud Computing Introduction
Cloud Computing IntroductionMzos Pune
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersGokul Alex
 
Cognizant Cloud for Utilities
Cognizant Cloud for UtilitiesCognizant Cloud for Utilities
Cognizant Cloud for UtilitiesSteve Lennon
 
Making Your Data Center Selection: The Whens, Whys, and Hows
Making Your Data Center Selection: The Whens, Whys, and HowsMaking Your Data Center Selection: The Whens, Whys, and Hows
Making Your Data Center Selection: The Whens, Whys, and HowsKSM Consulting
 
SPSUK2013 - Matt Groves - Cloud Readiness
SPSUK2013 - Matt Groves - Cloud ReadinessSPSUK2013 - Matt Groves - Cloud Readiness
SPSUK2013 - Matt Groves - Cloud ReadinessMatt Groves
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudCompTIA UK
 

Semelhante a Cloud Security Risks and Compliance Perspective (20)

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud Security Alliance - Guidance
Cloud Security Alliance - GuidanceCloud Security Alliance - Guidance
Cloud Security Alliance - Guidance
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)
 
Selecting csp iapp_summit_2012 - 5-february
Selecting csp iapp_summit_2012 - 5-februarySelecting csp iapp_summit_2012 - 5-february
Selecting csp iapp_summit_2012 - 5-february
 
Pinning Down Cloud Computing
Pinning Down Cloud ComputingPinning Down Cloud Computing
Pinning Down Cloud Computing
 
Clouds in emerging markets
Clouds in emerging marketsClouds in emerging markets
Clouds in emerging markets
 
Cloud Computing & Cybersecurity in Industry 4.0
Cloud Computing & Cybersecurity in Industry 4.0Cloud Computing & Cybersecurity in Industry 4.0
Cloud Computing & Cybersecurity in Industry 4.0
 
Webinar: The Importance of a Next-Generation Network
Webinar: The Importance of a Next-Generation NetworkWebinar: The Importance of a Next-Generation Network
Webinar: The Importance of a Next-Generation Network
 
C037013015
C037013015C037013015
C037013015
 
10 security concerns cloud computing
10 security concerns cloud computing10 security concerns cloud computing
10 security concerns cloud computing
 
Cloud computing arma_nnj
Cloud computing arma_nnjCloud computing arma_nnj
Cloud computing arma_nnj
 
Cw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamerCw13 cloud computing & big data by ahmed aamer
Cw13 cloud computing & big data by ahmed aamer
 
Cloud Computing Introduction
Cloud Computing IntroductionCloud Computing Introduction
Cloud Computing Introduction
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and Frontiers
 
Cognizant Cloud for Utilities
Cognizant Cloud for UtilitiesCognizant Cloud for Utilities
Cognizant Cloud for Utilities
 
Making Your Data Center Selection: The Whens, Whys, and Hows
Making Your Data Center Selection: The Whens, Whys, and HowsMaking Your Data Center Selection: The Whens, Whys, and Hows
Making Your Data Center Selection: The Whens, Whys, and Hows
 
SPSUK2013 - Matt Groves - Cloud Readiness
SPSUK2013 - Matt Groves - Cloud ReadinessSPSUK2013 - Matt Groves - Cloud Readiness
SPSUK2013 - Matt Groves - Cloud Readiness
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 

Cloud Security Risks and Compliance Perspective

  • 1. Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Tim Mather Subra Kumaraswamy, Sun Shahed Latif, KPMG
  • 2. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What We Do Not Discuss • Existing aspects of information security which are not impacted by ‘cloud computing’ • Consumer aspects of cloud computing 2
  • 3. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What We Do Discuss • Infrastructure Security • Network-level • Host-level • Application-level • Data Security • Identity and Access Management (IAM) • Privacy Considerations • Audit & Compliance Considerations • Security-as-a- [Cloud] Service (SaaS) • Impact on the Role of Corporate IT Where Risk Has Changed: ± 3
  • 4. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Components of Information Security Security Management Services Management – ACL, hygiene, patching, VA, incident response Identity services – AAA, federation, provisioning Information Security – Data Encryption (transit, rest, processing), lineage, provenance, remanence Information Security – Infrastructure Application-level Host-level Network-level 4
  • 5. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Computing: Evolution 5
  • 6. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Pyramid of Flexibility 6
  • 7. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Infrastructure Security – currently • Trust boundaries have moved • Specifically, customers are unsure where those trust boundaries have moved to • Established model of network tiers or zones no longer exists • Domain model does not fully replicate previous model • No viable, scalable model for host-to-host trust • Data labeling / tagging required at application- level • Data separation is logical not physical 7
  • 8. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Infrastructure Security – going forward • Need for greater transparency regarding which party (CSP or customer) provides which security capability • Inter-relationships between systems, services, and people needs to be addressed by identity management 8
  • 9. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Data Security – currently • Provider’s data collection efforts and monitoring of such (e.g., IPS, NBA) • Use of encryption • Point-to-multipoint data-in-transit an issue • Data-at-rest possibly not encrypted • Data being processed definitely not encrypted • Key management is a significant issue • Advocated alternative methods (e.g., obfuscation, redaction, truncation) are nonsense • Data lineage • Data provenance • Data remanence 9
  • 10. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Data Security – going forward Large-scale multi-entity key management • Must scale past multi-enterprise to inter-cloud • Not just hundreds of thousands of systems or even millions of virtual machine images, but billions of files or objects • Must not only handle key management lifecycle (per NIST SP 800-57, Recommendation for Key Management), but also • Key recovery • Key archiving • Key hierarchies / chaining for legal entities • Fully homomorphic encryption • Potentially huge boon to cloud computing • Will increase need for better key management 10
  • 11. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif IAM – currently • Generally speaking, poor situation today: • Federated identity widely not available • Strong authentication available only through delegation • Provisioning of user access is proprietary to provider • User profiles are limited to “administrator” and “user” • Privilege management is coarse, not granular 11
  • 12. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif IAM – going forward • Emerging identity-as-a-service (IDaaS) needs to evolve beyond authentication • SAML, SPML and XACML (especially) need to be more fully leveraged • Increasing need for user-to-service and service-to-service authentication and authorization (OAuth) 12
  • 13. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Privacy – currently • Transborder data issues may be exacerbated • Specifically, where are cloud computing activities occurring? • Data governance is weak • Encryption is not pervasive • Data remanence receives inadequate attention • Cusps absolve themselves of privacy concerns: ‘We don’t look at your data’ 13
  • 14. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Privacy – going forward • Privacy laws are inconsistent across jurisdictions; need global standard • Need specific requirements for auditing (e.g., AICPA/CICA Generally Accepted Privacy Principles – GAPP) 14
  • 15. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Audit & Compliance – currently • Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II) • CSP users need to define: • their control requirements • understand their CSP’s internal control monitor- ing processes • analyze relevant external audit reports • Issue is assurance of compliance 15
  • 16. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Audit & Compliance – going forward • Inter-cloud (i.e., cross-CSP) solutions will demand unified compliance framework • Volume, multi-tenancy of cloud computing, demand that CSP compliance programs be more real-time and have greater coverage than most traditional compliance programs 16
  • 17. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Security-as-a-Service – currently • Some offerings mature • E-mail filtering, archiving • Web content filtering • Some offerings still emerging • (E-mail) eDiscovery • Identity-as-a-Service (IDaaS) • Encryption, key management • Today’s security-as-a-service providers sell to CSP customers, not CSPs • None of today’s CSPs offer security-as-a- service as integrated offering 17
  • 18. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Security-as-a-Service – going forward • Horizontal integration • Pure play SaaS providers will broaden offerings beyond e-mail + Web content filtering • Vertical integration • CSPs will offer SaaS as integrated offering • IDaaS has to scale effectively for cloud computing to truly take off • Complexity of key management screams for SaaS offering 18
  • 19. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Impact on Role of Corporate IT – currently • Governance issue as internal IT becomes “consultants” and business analysts to business units • Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs • Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously 19
  • 20. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Impact on Role of Corporate IT – going forward • Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT • Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions • Functions performed by corporate IT departments will shift from those who do (i.e., practitioners who build or operate) to those who define and manage • IT itself will become more of a commodity as practices and skills are standardized and automated 20
  • 21. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Conclusions • Part of customers’ infrastructure security moves beyond their control • Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than customers’ expectations • Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non- sensitive (unregulated and unclassified) data 21
  • 22. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Conclusions (continued) • IAM is less than adequate for enterprises – weak authentication unless delegated back to customers or federated, weak authoriza- tion, proprietary provisioning • Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint • No established standards for obfuscation, redaction, or truncation 22
  • 23. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What’s Good about the Cloud? • A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data • Cost • Flexibility • Scalability • Speed 23
  • 24. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Developments to Watch • VMware’s vCloud API − submitted to DMTF • Amazon’s Virtual Private Cloud − hybrid cloud that extends private cloud through “cloud bursting” • Security-as-a-Service offered by CSPs (e.g., Amazon’s Multi-Factor Authentication) • Cloud Security Alliance v2 white paper • Slow transparency and assurance from CSP (e.g., ISO 27002-based assurance) • IT governance framework that blends ITIL, ISO 27002, CObIT 24
  • 25. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Continue the discussion on-line at: cloudsecurityandprivacy.com 25